interesting
/
googerteller
mirror of https://github.com/berthubert/googerteller.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix up bpftrace-based operation

This commit is contained in:
bert hubert 2024-04-26 00:21:49 +02:00
parent ef47d7cfae
commit 985c9bb97c
4 changed files with 32 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -72,13 +72,17 @@ addresses, so you must check both sets before determining something is in
fact a Google service and not a Google customer.
# To run on a single process on Linux
Or, to track a single process, fe `firefox`, start it and run:
```shell
sudo bpftrace netsendmsg.bt |
grep --line-buffered ^$(pgrep firefox) |
stdbuf -oL cut -f2 | ./cidr.py | ./teller
grep --line-buffered ^$(pgrep firefox) | ./teller
```
Or try:
```shell
sudo bpftrace netsendmsg.bt | grep --line-buffered -i chrome | ./teller
```
And cry.

18
cidr.py
View File

@ -1,18 +0,0 @@
#!/usr/bin/env -S python3 -u
import sys
from ipaddress import ip_network, ip_address
nets = []
with open("goog-prefixes.txt") as f:
nets = [line.strip() for line in f.readlines()]
for line in iter(sys.stdin.readline, ''):
line = line.strip()
for net in nets:
try:
if ip_address(line) in ip_network(net):
print(line)
continue
except:
continue

10
netsendmsg.bt
View File

@ -6,7 +6,15 @@ kprobe:tcp_sendmsg
{
$sk = (struct sock *)arg0;
if($sk->__sk_common.skc_family==2) {
$daddr = ntop($sk->__sk_common.skc_daddr);
}
else if($sk->__sk_common.skc_family==10) {
$daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
}
printf("%-8d\t%s\t(%s)\n", pid, $daddr, comm);
/* skc_v6_daddr, skc_family */
printf("direct\t%s\tpid%d\t%d\t%s\n", $daddr , pid, $sk->__sk_common.skc_family, comm);
}

28
teller.cc
View File

@ -139,7 +139,7 @@ int main(int argc, char** argv)
}
string line;
while(getline(cin, line)) {
string ip;
/*
22:42:25.323984 IP 13.81.0.219.29601 > 10.0.0.3.32902: tcp 1186
22:42:25.323997 IP 10.0.0.3.32902 > 13.81.0.219.29601: tcp 0
@ -155,17 +155,17 @@ int main(int argc, char** argv)
auto pos2 = line.find('.', pos); // this misses out on IPv6 ICMP
if(pos2 == string::npos) continue;
line.resize(pos2);
string ip = line.substr(pos+2, pos2 - pos - 2);
if(auto fptr = tracksneg.lookup(ip.c_str())) {
auto ptr = (TrackerConf*)fptr;
cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
}
else if(auto fptr = trackspos.lookup(ip.c_str())) {
auto ptr = (TrackerConf*)fptr;
cout<<ip<<" match ("<<ptr->name<<")"<<endl;
ptr->counter++;
ip = line.substr(pos+2, pos2 - pos - 2);
}
else if(line.find("direct") ==0 ) { // ebpfscript output
auto pos = line.find('\t');
if(pos == string::npos)
continue;
auto pos2 = line.find('\t', pos+1);
if(pos2 == string::npos)
continue;
line.resize(pos2);
ip = line.substr(pos+1);
}
else {
auto pos = line.find('>');
@ -182,8 +182,9 @@ int main(int argc, char** argv)
if(pos2 == string::npos) continue;
line.resize(pos2);
string ip=line.substr(pos+2, pos2 - pos - 2);
ip=line.substr(pos+2, pos2 - pos - 2);
}
if(!ip.empty()) {
if(auto fptr = tracksneg.lookup(ip.c_str())) {
auto ptr = (TrackerConf*)fptr;
cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
@ -194,7 +195,6 @@ int main(int argc, char** argv)
ptr->counter++;
}
}
}
sleep(1);
}